Is cybersecurity risk factor disclosure informative?: evidence from disclosures following a data breach
By examining managers’ decisions about disclosing updated assessments of firms’ risks, we present evidence that the risk factor disclosures are informative. We use the setting of cybersecurity risk factor disclosures after a data breach because data breaches, especially severe breaches, serve as a n...
| Authors: | ; ; |
|---|---|
| Format: | Electronic Article |
| Language: | English |
| Check availability: | HBZ Gateway |
| Journals Online & Print: | Drawer...
|
| Fernleihe: | Fernleihe für die Fachinformationsdienste |
| Published: |
Springer Science + Business Media B. V
2023
|
| In: |
Journal of business ethics
Year: 2023, Volume: 187, Issue: 1, Pages: 199-224 |
| Further subjects: | B
Cyber business ethics
B Aufsatz in Zeitschrift B Data breach B Book Review B Cybersecurity risk factor disclosures |
| Online Access: |
Volltext (kostenfrei) Volltext (kostenfrei) |
| Summary: | By examining managers’ decisions about disclosing updated assessments of firms’ risks, we present evidence that the risk factor disclosures are informative. We use the setting of cybersecurity risk factor disclosures after a data breach because data breaches, especially severe breaches, serve as a natural experiment where an exogenous shock to managers’ assessment of their firm’s cybersecurity risks occurs. We analyze the topic from the perspective of two different theoretical lenses: the economic lens of optimal risk exposure and the ethical lens of stakeholder theory. Using a sample of firms experiencing data breaches, we find that firms experiencing a data breach increase the amount of cybersecurity risk factor disclosures compared to matched firms with no data breach. Further investigation reveals that the severity of data breaches affects the results; cybersecurity risk factor disclosures increase only after severe data breaches. While there is no significant market reaction if breached firms’ subsequent annual reports include increased cybersecurity risk factor disclosures, a significant negative market reaction occurs if breached firms decrease cybersecurity risk factor disclosures, regardless of the severity of the breach, implying that the market anticipates increased disclosures after data breaches. |
|---|---|
| ISSN: | 1573-0697 |
| Contains: | Enthalten in: Journal of business ethics
|
| Persistent identifiers: | DOI: 10.1007/s10551-022-05107-z |